UserLock Review

UserLock’s self-evident: it lets you lock down users on a Windows network. It restricts users from accessing designated machines, provides reports on user activity, and gives network administrators a way to remotely control user sessions. It’s of particular use to healthcare and legal organizations that may have to adhere to compliance regulations like HIPAA or SOX. It’s also scalable and can be deployed to a network with 10 or 1,000 users. Customers range from vast corporations like BMW, to individual IT consultants. In testing, UserLock efficiently and quickly handled restricting users from network access based on criteria I specified.

UserLock offers control over user accounts in a more granular way than Windows’ Group Policy. The app doesn’t completely take the place of Group Policy (GP); you can’t restrict what a user sees on a desktop or disable CD Autoplay, for example; but UserLock can be used in tandem with GP to keep stringent control of a Windows network. For instance, as a network administrator, I can keep users from accessing specific network resources using GP, but I can also restrict login access for those users, say, after business-hours, with UserLock. You have an extra layer of control with UserLock. It also applies changes throughout the network quicker and more efficiently than GP often does. Anyone who has added GP rules to a Windows domain may remember the frustration of waiting for those rules to actually take hold after running a group policy update command (I know I have).

Although UserLock isn’t about end-point security and focuses more on user access control, it does share features with end-point security products, such as DeviceLock ($35 direct, ). Like DeviceLock, UserLock has auditing capabilities to report on user session activity. It will even write activity like user logon sessions to a database. You can’t limit access to USB drives and other devices with UserLock like you can with DeviceLock, but you can prevent users from accessing any machine by name, IP address or even by time of day.

There’s nothing fancy about the interface. It uses a left-side hierarchal tree-structure for tasks, much like any of the Windows Server Role snap-ins in Server 2008. Windows administrators will feel right at home here. The familiar interface lets you get right to the business of hardening network security as it’s easy and intuitive to navigate. At a price of $10.50 USD per user session, (the price goes down as the amount of user session licenses purchased goes up) it won’t break the bank, either

Setup’s a cinch—install the UserLock Server and then deploy agents to user machines. You install UserLock server on a Windows domain controller or a member server. After install, the UserLock Service Configuration Wizard assists in configuring the server type, the server zone to be protected (the Windows domain, in my test network) and the service account.

You deploy agents through the Administration Console. I deployed the agent to a server, two physical machines and a Windows 7 virtual machine running in Hyper-V. The deployment process was fast and easy with no errors. I am, admittedly, running a small-scale Windows domain. Still, results should be reasonably scalable in larger networks since the agent is a relatively lightweight piece of code.

After agent deployment, users are added in the console as “Protected Accounts.” UserLock integrates nicely with Active Directory (AD), so adding a user account is as easy in UserLock as it is to give folder permissions to a user in Windows. Just type the name, and UserLock will check for that account against AD and add it in the console.

Giving user rights (or taking them away) is where the fun begins. Limit the number or type of sessions users can establish. For instance; I restricted my user to only one workstation session at a time; meaning the account cannot be used to simultaneously log into more than one machine. It can be wearisome to search for a similar setting using Group Policy Manager—there are lots of policy settings to sift through and the ones pertaining to user accounts sometimes don’t do exactly what an admin needs them to. Network administrators also have the choice of scripting, but this entails learning a new skill set and still working within the confines of Group Policy.

That’s where third-policy tools like UserLock and LimitLogon come in, to do those tasks for you. The big advantage of UserLock though, is its simplicity. LimitLock requires configuring IIS Server with additional components, so it’s more involved to setup.

What I really liked was that, once I set that user restriction, it happened right away. That user account received the default notification that access was denied when I used the account to login into a second machine while still logged into another. I was also pleased that canned notification/warning messes are editable; this is handy because you can flash corporate policy violation or HIPAA violation messages on screen—it’s a handy way to educate users about corporate policy.

Restriction settings can also be assigned to user groups. Other restrictions include limiting terminal, interactive, and RAS sessions. You can also restrict user access by time of day and by specific workstation. Additional features include in-the-box reporting, a Task Scheduler, and automatic purge of database records.

UserLock enables auditing by writing user session history to a Microsoft Access database. This is not just a nice feature but may be necessary one, in the case of some compliance regulations. You can configure UserLock to write to a different database; I tried to set it to write to SQL, but ran into a permissions issue. The UserLock support staff was able to assist in getting the permissions issue resolved, though.

UserLock has very specific functionality and it works well. It works so efficiently I wish there were more things you could do with it; like control what users see on their desktops or control access to applications. Still, it’s a simpler way to get some network administrative housekeeping tasks done than using Group Policy or scripting. More important, it aids in shoring up network security. Overall, UserLock is a solid tool that any Windows Network Administrator should consider adding to their network management toolkit if tight user access control is mandatory for their organization.

UserLock has very specific functionality and it works well. It works so efficiently I wish there were more things you could do with it; like control what users see on their desktops or control access to applications. Still, it’s a simpler way to get some network administrative housekeeping tasks done than using Group Policy or scripting. More important, it aids in shoring up network security. Overall, UserLock is a solid tool that any Windows Network Administrator should consider adding to their network management toolkit if tight user access control is mandatory for their organization.

The Review Crew is a group of beat editors, writers, and consultants that have been working together for years. They know just about everything about everything collectively and have published their collective work under the Review Crew brand moniker for almost 20 years.